Facebook passwords stolen by 25 malicious Android apps: What to do

Facebook on Android mobile phone
(Image credit: dennizn / Shutterstock.com)

Twenty-five malicious Android apps that were secretly designed to steal Facebook account credentials have been deleted from the Google Play Store.

According to French information-security firm Evina, the apps amassed over 2.34 million downloads before they were removed from the Play Store in early June. 

In a blog post, Evina's researchers wrote: “This malware could effectively ruin your online and offline life by making off with the credentials of one of your most valued pieces of digital real estate.” 

The apps also bombarded users with ads and opened new web-browser tabs, according to angry user reviews on Google Play that were captured by Evina. It's not clear how many users ended up having their Facebook credentials stolen.

Tricking users

To trick Android users into downloading them, the 25 malicious apps masqueraded as games, flashlights, wallpapers, image and video editing software, QR code scanners, step counters and file managers.

While the apps performed these functions, the researchers said the apps could also “check if the Facebook app is running in foreground”. 

If that was the case, the apps would then try to fool users into entering their Facebook credentials into a fake Facebook login page. 

“When an application is launched on your phone, the malware queries the application name," said the Evina blog post. "If it is a Facebook application, the malware will launch a browser that loads Facebook at the same time."

“The browser is displayed in the foreground which makes you think that the application launched it.”

Playing into hackers' hands

By performing these actions, users were effectively sending their Facebook credentials directly to hackers -- except they didn’t know.

The researchers explained: “When you enter your credentials into this browser, the malware executes JavaScript to retrieve them. The malware then sends your account information to a server.”

Evina discovered the malicious apps in May and subsequently reported them to Google. After reviewing the findings, Google went on to remove them at the start of June. 

 “Downloading unknown or low reviewed apps on the Play Store can be fraught with danger," Jake Moore, a security specialist at ESET, told Tom’s Guide.

"These apps can cause damage to a device or even steal credentials such as passwords and one time passwords. I would always suggest users fully research apps before they think of installing them. 

He added: “Malware can lurk around on legitimate app stores but they are easier to distinguish form genuine apps as download numbers will usually be low. My advice would be to stick to well-known apps with good reviews and trusted app stores. 

“Furthermore, to protect your social media and other accounts from being hacked, make sure you turn on two factor authentication in case your details are ever compromised.”

To that, we'd add that one of the best Android antivirus apps will help protect your phone from malicious apps such as these, whether they come from Google Play or "off-road" app markets.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Mobile Apps
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps glitch is purging Timeline data — what we know
Gboard app logo on mobile phone resting on a keyboard
Google Gboard redesign has already angered users — and I can see why
Waze app on iPhone in car
Forget Google Maps — Waze just got a huge upgrade that will help millions of drivers
A photo of the Apple Maps app tile displayed on an iPhone screen
Apple Maps may soon get ads, letting businesses pay to boost visibility
How to delete TikTok
TikTok confirms return to Apple and Google app stores — here’s what we know
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps is adding this new feature for millions of drivers to make your ride safer
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 20 (#648)
A phone with the Plex logo in front of an out-of-focus background of movie posters
Yikes! Plex is getting a price hike and this key feature is going behind a pay wall
back of Iris Pixel 9a
Google Pixel 9a pre-orders delayed due to 'component quality issue' — here's when you can get one
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Sony A95K QD-OLED TV in front of windows in a living room
This new TV breakthrough looks like a game-changer for OLED TVs
Apple iPhone 16 & 16 Plus hands-on.
Forget USB-C — a truly portless iPhone just got the all-clear from the EU